https是在http的基础加入ssl协议,基于https传输的数据是加密的,可以有效防止网站被劫持,避免被中间人攻击,而且https的网站在搜索结果中的排名会更高,所以建议为网站启用https。下面介绍怎样在nginx服务器上申请ssl证书开启https访问。

一、申请ssl证书

我们可以向Let’s Encrypt申请免费的ssl证书,有效期为90天,90天后再续期即可。

Let’s Encrypt是一个免费,自动化和开放的证书颁发机构(CA),为公众的利益而运行。它是由Internet Security Research Group(ISRG)提供的服务。
Let’s Encrypt为用户提供所需的数字证书,以便以最友好的方式免费为网站启用HTTPS(SSL / TLS)。Let’s Encrypt这样做是因为我们想要创建一个更安全,更尊重隐私的Web。

1.停止nginx服务器

因为证书生成中会占用80和443端口,所以需要先停用nginx,输入以下命令:

ps -ef|grep nginx //查看nginx的进程号
kill -QUIT 进程号 //杀死进程

如果是用lnmp.org的一键安装包配置的nginx,直接输入lnmp nginx stop即可。

2.安装Certbot

Certbot是一个易于使用的自动客户端,可为Web服务器提取和部署SSL / TLS证书。Certbot由EFF和其他人开发,作为Let's Encrypt的客户端,之前被称为“官方Let's加密客户端”或“Let's Encrypt Python客户端。

执行以下命令获取源码安装Certbot:

git clone https://github.com/letsencrypt/letsencrypt 

然后执行申请ssl证书命令:

cd letsencrypt
./letsencrypt-auto certonly --standalone --email 邮箱 -d 域名1 -d 域名2

生成证书结果如下:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/blog.freedommeadow.tk/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/blog.freedommeadow.tk/privkey.pem
   Your cert will expire on 2019-01-10. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

如上文所示,会生成4个文件:

cert.pem - Apache服务器端证书
chain.pem - Apache根证书和中继证书
fullchain.pem - Nginx所需要ssl_certificate文件
privkey.pem - 安全证书KEY文件

二、配置ssl证书

1.使用vim编辑nginx的配置文件/usr/local/nginx/conf/nginx.conf,监听443端口,指定证书和证书私钥所在位置:

执行以下命令:

sudo vim /usr/local/nginx/conf/nginx.conf

在server{}中加入以下字段:

listen 443 ssl;
ssl_certificate /usr/local/nginx/conf/ssl/fullchain.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/privkey.pem;

2.防火墙放行443端口:

vim /etc/sysconfig/iptables   ##编辑配置文件
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT   
/etc/init.d/iptables restart ##重启防火墙

3.http 301重定向到https
用vim编辑nginx配置文件/usr/local/nginx/conf/nginx.conf,加入以下内容:

server
{
        listen 80;
        server_name _;
        rewrite ^(.*)$ https://域名$1 permanent;
}

4.重启nginx服务器
检查配置文件是否正确:

cd /usr/local/nginx/sbin
./nginx -t

出现以下文字则配置文件无语法错误:

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

重启:

./nginx -s reload 或者 lnmp nginx start

打开网站,启用https成功:
请输入图片描述

三、/usr/local/nginx/conf/nginx.conf配置文件实例

user  www www;

worker_processes auto;

error_log  /home/wwwlogs/nginx_error.log  crit;

pid        /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

events
    {
        use epoll;
        worker_connections 51200;
        multi_accept on;
    }

http
    {
        #省略

server
    {
        #listen 80 default_server;
        listen 443 ssl;
        #listen [::]:80 default_server ipv6only=on;
        server_name freedomspread.com;
        root  /home/wwwroot/default;
        ssl_certificate /etc/letsencrypt/live/freedomspread.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/freedomspread.com/privkey.pem;
        #error_page   404   /404.html;

        ##省略
    }
server
    {   listen 80;
        server_name _;
        rewrite ^(.*)$ https://freedomspread.com$1 permanent;
    }
include vhost/*.conf;
}

四、续订ssl证书

证书到期后,执行以下命令即可续订:

./certbot-auto certonly --renew-by-default --email 邮箱 -d 域名1 -d 域名2

五、参考资料

CentOS申请Let’s Encrypt免费SSL证书